New Gmail phishing campaign incredibly well designed

Earlier this week, a new phishing scam had been unveiled this time using Gmail as the bait. The latest attack, uses a clever technique where it mimics past email messages with PDF attachments, once the attachment is clicked it launches a “Gmail sign-in page”. According to The Independent:

‘A sophisticated new phishing technique that composes convincing emails by analyzing and mimicking past messages and attachments has been discovered by security experts.
Discovered by Mark Maunder, the CEO of WordPress security plugin Wordfence, the attack first sees the hacker send an email appearing to contain a PDF with a familiar file name.
That PDF, however, is actually a cleverly disguised image that, when clicked, launches a new tab that looks like this:

(Wordfence)

It’s the Gmail sign-in page, right? Not quite. A closer look at the address bar will show you that all is not quite as it seems:

(Wordfence)

Unfortunately, the attack’s imitation of the Gmail sign-in page is so convincing that many users will automatically enter their login details, simultaneously surrendering them to the hackers, who can proceed to steal your data and use one of your past messages to compromise another round of Gmail users.”

This is an incredibly well designed attack, the actual technology used is simple and elegant, but it clearly hits an ergonomic and psychological point. It looks so natural and being asked for credentials has become second nature to users who now just want to get rid of the windows and almost automatically will enter details where asked.

This attack reinforces the long-term IT security narrative that email remains a very attractive threat vector to attack organzations and private users alike. Some key things users need to keep in mind are:

Look for traits of suspected phishing emails. Some attributes to look for in emails include:

They will likely have a link or an attachment.

Include sites that are visually similar to a real business.

Promote gifts, or the loss of an existing account.

Check the source of information from incoming mail:

For example, your bank will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank directly for clarification.

Even if the name looks familiar, always take a closer look at the email address or the website link it is sending you to.

Do not click on links included in emails. This might direct you to a fraudulent website. Type in the URL directly into your browser or use bookmarks / favourites if you want to go faster.

The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data.